Routing internal mail from Exchange Online / Microsoft 365 to Mailprotector's smarthost


By default, Exchange (and Exchange Online) routes all internal messages without them ever reaching the Internet. This prevents internal email from passing through Mailprotector's smarthost, and by association, Bracket encryption. Internal messages on Exchange are inherently more secure due to this behavior. However, some users may still have reasons to require filtering or Bracket encryption of internal email as well.

The steps below provide Transport Rule and Connector configurations that route internal email to pass to Mailprotector's smarthost, without conflicting with existing connector configurations.

Applies To:

CloudFilter, SafeSend, Bracket, Exchange Online, Office 365 (O365)


This article assumes you have already completed the configuration of the outbound connector to route external email through Mailprotector's smarthost.

ON-PREMISE EXCLUSION: On-premise Exchange servers (2010,2013,2016,2019) do not provide functions to alter internal mail routing without significant effort and third-party add-ins. Mailprotector can not provide support for this use case. Microsoft 365 and the steps included in this article are for informational purposes. Mailprotector does not provide Microsoft 365 or Exchange Online support in its scope of services.

IMPORTANT NOTE: The Mailprotector filter is designed with Exchange Online's default internal routing behavior in mind. Filtering changes in Mailprotector will likely be necessary to avoid a high false positive rate if all internal messages are routed through Mailprotector's relay.

Configuration Steps

1. Create the Outbound Connector

  1. From the Mailflow > Connectors tab, click the icon to add a new connector.
  2. Provide a name and description that will allow the connector to be easily distinguished from other Mailprotector connectors. Leave "Turn it on" checked, and click Next.




  3. Set the connector to only be used when a transport rule redirects messages to this connector, and click Next.




  4. With "Route email through these smart hosts" selected, add the smart host for your Mailprotector domain to the list with the + icon, and then click Next.




  5. Leave TLS and certificate settings at default, and click Next.




  6. Review the settings to confirm that they are correct, and then click Next.
  7. Enter a test address to validate this connector using the icon. This can be any external address that you have access to. Do use an address that is the same as the domain you are configuring. Click Validate.
  8. Once validation is complete, click Save.




  9. Proceed to one of the two Transport Rule configurations below, depending on whether all internal mail should be routed to Mailprotector or only internal mail that will qualify for Bracket encryption.

NOTE: If the "Send test email" validation fails, the connector can still be saved, and will function correctly as long as there is not a larger configuration issue.

2a. Create a transport rule that routes all internal mail through Mailprotector's smarthost

    1. Navigate to Mail Flow > Rules, and click the icon to create a new transport rule.
    2. Add a descriptive name that will allow this rule to be easily distinguished from other transport rules.
    3. Click "More Options..." to allow the rule to be built using multiple conditions, and an exception.
    4. Using the add condition button, add Sender and Recipient criteria that match on "Inside the organization.




    5. Set "Do the following..." to the action of "Use the following connector..." pointing to the connector, which was created previously.


    6. Click add exception with criteria of "A message header matches these text patterns" and an 'X-Mailprotector-ID' value of '.', and then click Save.




CRITICAL STEP: Step 6 is required in order to avoid a mail loop when the message passes back to Exchange. It is critical that each field matches the screenshot identically to prevent the mail loop.

2b. ** OPTIONAL ** Route only internal mail which has a subject that matches for Bracket encryption

  1. After completing all steps in 2a, add a 3rd condition of "The subject matches...". This provides the transport rule with a regex that matches the criteria Bracket uses at the smarthost.

NOTE: If using curly braces or pipes as the Bracket trigger, the following expressions will be used instead:

^\{.*\}   <-- curly braces
^\|.*\| <-- pipes
Have more questions? Submit a request